01-04-2010 09:43 PM - edited 03-04-2019 07:07 AM
Hello
is it possible to add redundant link on each router along with HSRP to acheive load sharing?if so how to add ip address allocation would be to the interfaces mentioned on the diagrams,also bear in mind that a default route point from each asa to isp border router
N:B marwan and jon has been suggesting the nat on the router coz of the different address block from different ISPs
Thanks
01-05-2010 01:35 AM
from the routers perspective this is possible by using differnt hsrp group in each inside interface with a VIP address
but i think the problem is that the ASA will not do loadbalcing by using two equal cost routes !!!
not sure but almost this is the case
lets see if someone can confirm it
good luck
01-05-2010 01:50 AM
hello marwan
Thanks and if u find any thing,pls get back
Thanks
01-05-2010 02:16 AM
have a look at the following discussion:
https://supportforums.cisco.com/message/1014567#1014567
that means if you use one interface in the ASA and two inside interfaces in each router you may be able to do what you looking for
i havn't tried it with ASA practically !
thank you
01-05-2010 04:50 AM
Hello marwan
could you please configure it for me as y did before in that threats accoriding attached diagrams in order to apply it to my scenario
thanks and appreciate
01-05-2010 02:43 PM
Hello Sayed
Is there any reason to have dual links from the firewall to the routers ? I havent seen this kind of setup much ... Issue is, as marwan pointed out, having dual layer 3 links from the firewall, and to have default routes accordingly.. thats a big challenge.. If they are in the same network we can add 3 default routes, but how will the physical connectivity look like ? we should then introduce some layer 2 switch inbetween the firewall and router, which can complicate things... Do you want to use the WAN link on router A, even when the firewall 1 fails ? we should be using more functions of the router to do this, as firewalls have very limited functionalities on layer 3 as compared to a router..
if you are looking for load balancing, we need to have a different solution..
Let us know... Hope this helps.. all the best
Raj
01-05-2010 03:04 PM
Ali
Raj is spot on with this. You don't normally have dual outside connections from the ASA to separate routers. In fact it won't use multiple default-routes if they point out of different interfaces.
If you want to use both links at the same time then you could conceivably run a dynamic routing protocol between the ASAs and the routers so that each ASA sees 2 routes to each destination. Trouble with this is that the standby ASA does not get the routing updates until the primary fails so there is a delay in failover.
With 2 active links you also need to take care of asymmetric routing ie. traffic out one interface and in another which will be dropped by the ASA.
As Raj says the load-balancing functionality should be done by the routers but this is still problematic because once one of the routers has received the traffic from the ASA it will see the best route as out to the internet unless you start manipulating the metrics. And to start manipulating traffic flows like this often requires BGP which you are not running with your ISP.
You could look at running active/active contexts on the ASA firewalls so in effect you have a context per ISP but this could get quite complex and the ISP links are not equal speed so if you wanted to take that into account it gets even more complex.
What exactly do you want to do in terms of both ISPs ?
Jon
01-06-2010 01:21 AM
Hello Jon and Ran
1)no, I Mean redundant link from each router inside interface to outside swith while for ASA sure just 1 link from each to outside switch
2)can we have it as scenario so that we have the same speed from both ISPs,Default-route to both ISPs,so how it could be now?
3)how it could be the deployment scenario at ASA for context per ISP?do y have a deploymnet scenario similar to my question?
4)does GLBP now comes in play ? or just as you advise me with HSRP?
any advise now
Thanks and realy Appreciate
N:B:::I build my experience using Netpro(Thanks netpro)
01-06-2010 02:08 AM
i think multiple contexts will complicate the topology as you do not have any separation just one flat network
GLBP will make problems for the VPN traffic you have, because it will make asymmetrical routing
as i remember you have now HSRP in the outside network configured on the inside interfaces of the routers
if you are looking to add additional interface in each router in the inside network that mean you will need to add additional hsrp group
this will be useful only in the case of router one ( active) inside interface fail in this way you will be able to use the other inside interface which is reside in the other hsrp group
in the ASA you will have two static default routes each one point to one of the hsrp groups VIP
not sure if this is what you were looking for !!
good luck
if helpful Rate
01-06-2010 08:39 AM
Hello marwan
yes this what am looking for,pls post a config according the diagram
thanks
01-06-2010 05:20 PM
lets say each router has two inside interfaces
router 1 active for group 1 and standby for group 2
10.1.1.1
20.1.1.1
router 2 active for gorup 2
10.1.1.2
20.1.1.2
router 1:
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 priority 110
standby 1 preempt
standby 1 track
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100
standby 2 preempt
router 2:
interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 preempt
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100
standby 2 priority 110
standby 2 preempt
standby 2 track
in the ASA you will need to have two default route to outside one point to 10.1.1.100 and the other point to 20.1.1.100 ( IPs here for the example only )
good luck
01-06-2010 08:49 PM
Thanks a lot marwan, I Do Appreciate ur support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide